Subscribe

Website operators have to configure a dizzying number of security
properties for their website: protocol versions, TLS ciphers, certificate
hash algorithm, and so on. Most of these properties provide an individual
benefit: when you configure your server to require secure protocol versions
and strong ciphers, connections to your website are immediately made more
secure. It doesn't affect your website's security if some other schmuck is
still using SSLv3
with RC4 and
1024 bit Diffie-Hellman on their website.

However, other security properties, particularly those related to certificates,
provide more of a collective security benefit, where everyone's
security is determined by the security of the
lowest common denominator. A timely example is the hash algorithm
used in certificate signatures. Until recently, SHA-1 was the most common
algorithm. Unfortunately,
SHA-1
is dangerously weak so the Internet is transitioning to the more secure SHA-2.
Under the current deprecation schedule, certificate authorities must
stop issuing SHA-1 certificates on January 1, 2016, and SHA-1 certificates that are issued
before then must not be valid past January 1, 2017, which means that on January 1, 2017, browsers can
stop trusting SHA-1 certificates.

Unfortunately, since this is a collective security property, there's
nothing an individual website operator can do in the meantime to improve
the security of their site. This site, www.agwa.name, uses a SHA-2 certificate, but the truth is
that it's no more secure than a site using a SHA-1 certificate. That's because an attacker
who can generate a SHA-1 collision can forge a SHA-1 certificate
for www.agwa.name. Since so many websites still use SHA-1 certificates, and it's not
2017 yet, web browsers will accept the forged certificate and be none
the wiser. None of us will be more secure until certificate authorities stop signing, and web browsers
stop accepting, certificates with SHA-1 signatures.

What made me really angry about the proposal was the following statement:

These customers accept the risk of continuing to use new SHA-1 certificates

"These customers" accept the risk? As I explained above, the use of SHA-1 is a collective risk shared
by the entire Internet, not just the "very large enterprise customers" who want to keep using SHA-1.
What about the rest of the Internet, who want their TLS connections to be secure and who have dutifully
migrated to SHA-2 in time for the deadline? Did anyone ask them? I sure as hell don't accept
the risk.

The statement is therefore vacuous and thoroughly unpersuasive to anyone who understands how certificates work. But to someone
who doesn't understand or isn't reading too closely, it makes the proposal seem less bad for the Internet at large than it
really is. I hope that the other members of the CA/Browser Forum
see through this and reject the proposal.